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Abstract 

With the advent of quantum key distribution (QKD) systems, perfect (i.e. information-theoretic) security can 
now be achieved for distribution of a cryptographic key. QKD systems and similar protocols use classical error- 
correcting codes for both error correction (for the honest parties to correct errors) and privacy amplification (to make 
an eavesdropper fully ignorant). From a coding perspective, a good model that corresponds to such a setting is the 
wire tap channel introduced by Wyner in 1975. In this paper, we study fundamental limits and coding methods for 
wire tap channels. We provide an alternative view of the proof for secrecy capacity of wire tap channels and show 
how capacity achieving codes can be used to achieve the secrecy capacity for any wiretap channel. We also consider 
binary erasure channel and binary symmetric channel special cases for the wiretap channel and propose specific 
practical codes. In some cases our designs achieve the secrecy capacity and in others the codes provide security 
at rates below secrecy capacity. For the special case of a noiseless main channel and binary erasure channel, we 
consider encoder and decoder design for codes achieving secrecy on the wiretap channel; we show that it is possible 
to construct linear-time decodable secrecy codes based on LDPC codes that achieve secrecy. 

I. Introduction and Motivation 

The notion of communication with perfect security was defined in information-theoretic terms by Shannon [1]. 
Suppose a fc-bit message M is to be transmitted securely from Alice to Bob across a public channel. Perfect 
security is said to be achieved if the encoding of M into a transmitted word X is such that the mutual information 
/(M; X) = 0. From this definition, Shannon concluded that Alice and Bob should necessarily share k bits of key 
for achieving perfect security. 

An alternative notion of communication with security was introduced by Wyner [2]. Wyner introduced the wire 
tap channel, which has matured into a system depicted in Fig. Q] In a wire tap channel, the honest parties Alice 
and Bob are separated by a channel CI called the main channel. The important modification when compared to 
Shannon's study of security is that any eavesdropper Eve observes information transmitted by Alice through another 
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channel C2 called the wiretapper's channel. CI and C2 are assumed to be discrete memoryless channels (DMCs). 
Suppose Alice and Bob try to (securely) communicate a fc-bit message M across CI. Alice encodes M into an 
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Fig. 1. Wire tap channel. 

n-bit transmitted word X. The legitimate receiver Bob and an eavesdropper Eve receive X through two different 
channels CI and C2, respectively. Bob's and Eve's observations are denoted Y and Z, respectively. Alice's encoding 
should achieve two objectives: (1) [Security] In words, Z should provide no information about M. The precise 

formulation used in this paper is that the rate of mutual information — /(M; Z) — > as n — > oo (2) [Reliability] 

n 

Y can be decoded into M with negligibly small probability of error. Wyner showed that both objectives can be 
attained by forward coding without any key bits if the channels CI and C2 satisfy some conditions. The rate k/n 
is called the secrecy rate. 

Secrecy capacity of a wire tap channel is the largest k/n for which the objectives of secure and reliable 
communication is achievable. Secrecy capacity is a function of the channels CI and C2. If the capacity of CI 
is greater than the capacity of C2, one would intuitively expect secrecy capacity to be positive. This intuition has 
been justified in several cases. Wyner [2] showed that if C2 is a degraded version of CI (C2 is CI concatenated 
with another DMC) then secrecy capacity is positive. Csiszar and Korner [3] showed that the secrecy capacity is 
positive for the cases when CI is "less noisy" than C2. However, computing secrecy capacity of a general wire 
tap channel efficiently given DMCs CI and C2 still remains an unsolved problem. The most recent progress in this 
problem was made by Van Dijk [4]. 

The key distribution problem in wire tap channels, which falls under the general problem of key generation from 
correlated source outputs, has been studied extensively [5], [6], [7]. The objective of secure key distribution is for 
Alice and Bob to share a common fc-bit key about which Eve's entropy is maximal. In key distribution, the k bits 
can be unknown to Alice before transmission. Powerful ideas such as common randomness, advantage distillation 
and privacy amplification were developed in the context of key distribution over wire tap channels [7], [8]. Several 
key distribution protocols have been developed and studied; many of the protocols make use of a parallel, error-free 
public channel between Alice and Bob during implementation. 

The problem of developing forward coding schemes (with no parallel channel) for secure communication over 
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wire tap channels has not received much attention. Some examples of coding schemes have been provided in [2] 
and [5]. A condition for constructing codes for the modified wire tap channel, introduced by Ozarow and Wyner [9], 
has been studied by Wei [10]. Code construction methods and their connection to security have not been extensively 
explored so far. However, existence of coding schemes for various generalized wire tap channel scenarios has been 
proved by several authors recently [11], [12], [13]. In particular, the existence of coding methods based on LDPC 
codes has been shown in [13]. 

In this paper, we focus on the problem of developing coding schemes for secure communication across wire 
tap channels. We begin by discussing the secrecy capacity theorem for certain wire tap channels. We provide a 
careful reworking of the proof so that the requirements of security and reliability are separated. We generalize an 
important link between capacity-approaching codes and security. This alternative view of the proof provides a clear 
construction method for coding schemes for secure communication across arbitrary wire tap channels. 

Later, we use this idea to develop codes for different wire tap channels. For a wire tap channel with a noiseless 
main channel and a binary erasure channel (BEC) as the wire tapper's channel, we provide codes that achieve secrecy 
capacity using the threshold properties of codes on graphs under message passing decoding. To our knowledge, 
these are the first codes that achieve secrecy capacity over wire tap channels. Using this construction, we show that 
it is possible to construct linear-time decodable codes that achieve security over such wire tap channels. Next, we 
extend the construction to wire tap channels that have BECs as both the main and wiretapper's channel. We show 
important connections between the threshold of codes on graphs under message-passing decoding and security. 
Finally, we consider a wire tap channel with a noiseless main channel and a binary symmetric channel (BSC) as 
the wiretapper's channel. For this case, we provide a coding solution using codes that have good error-detecting 
capability. 

Throughout the paper, the criterion for security is that the mutual information between the message and an 
eavesdropper's observables goes to zero rate-wise. Note that this formulation (originally due to Wyner [2]) is 
weaker than the accepted security criteria in contemporary work in cryptography, which typically require the total 
mutual information to go to zero. Hence, this work can be seen as a conceptual advancement in the area of forward 
coding for wire tap channels. With future study, stronger security criterion such as exponential fall in mutual 
information could become possible for such codes over a wire tap channel. 

The rest of the paper is organized as follows: In Section HI] we briefly discuss secrecy capacity for wire tap 
channels and point out the connection between capacity-approaching codes and secrecy. In Section Hill we discuss 
the general coding scheme for wire tap channels used in the remainder of the paper. In Section |IV] we present codes 
for wire tap channels with a noiseless main channel and a BEC as the wiretapper's channel; in Section[V] we modify 
the above codes and extend them to construct linear-time decodable codes for these wire tap channels. In Section 
I VII we present codes for wire tap channels with BECs as both main and wiretapper's channels. In Section IVHI 
we present code constructions for wire tap channels with a noiseless main channel and a BSC as the wiretapper's 
channel. Finally, we conclude in Section [Villi with a discussion of results and topics for future research. 
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II. Coding for the Wire Tap channel 

In a general wire tap channel (Fig. [TJ, CI and C2 are discrete memoryless channels (DMCs). The two DMCs 
have the same input alphabet but different output alphabet. CI is denoted X — ► Y, where X is a random variable 
denoting an input symbol to CI, and Y is a random variable denoting an output symbol from CI. Similarly, C2 
is denoted X — > Z. A sequence of n input symbols is denoted by X n or X. Y n and Y, and Z n and Z have 
similar notations for the outputs. CI and C2 of a wire tap channel are called the main channel and wire tap channel, 
respectively. 

A. Secrecy capacity of the wire tap channel 

The notion of secrecy capacity, as introduced by Wyner [2], has an operational meaning of being the maximum 
possible rate of information transmission between Alice and Bob that still enables Eve to be kept totally ignorant. 
Before defining the operational meaning precisely, we look at the calculation of secrecy capacity for a given wire 
tap channel. The secrecy capacity C s for a general wire tap channel can be calculated as follows [3]: 

C s = ^miB [I(V; Y) - I(V; Z)\ , (1) 

where the maximum is over all possible random variables V in joint distribution with X, Y and Z such that 
V — > X — > (Y, Z) is a Markov chain. The random variable V does not have a direct physical meaning; it is used 
for calculation purposes. Note that C s could turn out to be zero or negative in some cases. At present, the calculation 
of secrecy capacity is an unsolved problem when CI and C2 are general DMCs. However, the calculation of secrecy 
capacity can be simplified for some special cases that impose restrictions on the wire tap channel with respect to 
the main channel. 

If I(V; Y) > I(V; Z) for all Markov chains V — > X — > (Y, Z), the main channel is said to be less noisy than 
the wire tap channel. If the main channel is less noisy than the wire tap channel [3], then 

C s = max [I(X; Y) - I(X; Z)\ , (2) 

Px (x) 

where the maximum is over all possible distributions Px(x) of X. Moreover, as shown in [4], I(X; Y) — I(X; Z) 
is a convex function of Px(x) when the main channel is less noisy than the wire tap channel; hence, the secrecy 
capacity can be calculated using convex optimization methods. It was further shown in [4] that if I(X; Y) and 
I(X; Z) are individually maximized by the same Px(x), and the main channel (X — > Y) is less noisy than the 
wire tap channel (X — > Z), then 

C s = Capacity (X ->■ Y) - Capacity(X -> Z), (3) 
where Capacity(.) refers to the usual channel capacity. 

B. Coding method 

The coding problem for Alice in the wire tap channel involves adding redundancy for enabling Bob to correct 
errors (across the main channel) and adding randomness for keeping Eve ignorant (across the wire tap channel). The 
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coding method presented here is not new. It is present in the proofs in [2] and [3]. More recently, similar coding 
methods have been used in [11], [12] for finding bounds and error exponents in the context of wire tap channels. 
However, our method of proof separates the requirements of security and reliability and results in a simple design 
method for codes over a wire tap channel. 

Let us assume that Alice needs to transmit one out of M equally likely messages i.e. a message denoted u is 
such that u e {1,2, •• ■ , M} and Prob{u = i} = 1/M. Alice uses M codes d, 1 < i < M with \d\ = L 
and block-length n. Each codeword of Cj consists of n symbols from the input alphabet of the main or wire tap 
channel. We let the common input alphabet to the two channels be {1, 2, • • • , K}. A symbol of the input alphabet 
is denoted k. A message u is encoded into a transmitted word x as follows: x is chosen uniformly at random from 
the code C u . The coding method is illustrated in Fig. [2] The transmitted word x , in general, belongs to the overall 
code C = UjCj. The rate of information transmission from Alice to Bob (in terms of bits per channel use) in such 
a setting is given by log 2 M/n. The receiver on the main channel (Bob) decodes a received word y with respect 
to the overall code C into a decoded message u (say, by Maximum-Likelihood (MaxL) decoding). 
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Fig. 2. Coding method for the wire tap channel. 



The objective of Alice and Bob in a wire tap channel can now be given a precise definition. Let U, U, and Z 
be random variables denoting Alice's message, Bob's decoded message, and Eve's received word, respectively. Let 
H(V) represent the entropy of a random variable V. Then, the objective is to achieve the following: 



Prob{U ^ U} 

/(U;Z)/n 



(4) 
(5) 



The constraint (O is referred to as the security constraint, while (0]i is called the reliability constraint. If an encoder 
(as in Fig. |2]i with R s = log 2 M/n satisfies the security and reliability constraints for a given wire tap channel, 
then such an encoder is said to achieve a secrecy rate R s . 
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C. Security of the coding method 

The security constraint is of paramount importance in the design of an encoder for a wire tap channel. The 
following choice of the codes C u satisfies the security constraint: Each C u should approach capacity over the wire 
tapper's channel (similar to the special case considered by Wyner in [2]). We present the criterion in the following 
theorem (the notation used is from Fig. [2] and Section Hl-BI ). 

Theorem 1: If each code C u ,u S {1,2,- •• , M} comes from a sequence of codes that approach capacity 
asymptotically over the wire tap channel, then I(U; Z)/n — > 0, as n — > oo. 

Proof: Since each C u approaches the capacity C w of the wire tapper's channel, we have for any e > an n ( 
such that for n > n e , /(X; Z|U = u)/n> Cw — e for each u. Therefore for n > n e , /(X; Z|U)/n > Cw — e. 

Expanding I(Z: UX) in two ways, we get 

J(Z; UX) = 7(U; Z) + 7(X; Z|U) = /(X; Z) + J(U; Z|X). 
Since U — ► X — ► Z is a Markov chain, 7(U; Z|X) = 0. Therefore for n > n e we have 

Z(U; Z)/n = /(X; Z)/n - /(X; Z|U)/n < C w - (Cw - e) = c 

■ 

This fundamental connection between capacity-approaching codes and secrecy has been used in many works on 
wire tap channels beginning with [2] implicitly. In Appendix Q] we show that this connection can be used to design 
codes that approach the secrecy capacity of certain wire tap channels. Particularly, we have shown that the reliability 
condition can be satisfied while simultaneously forcing each code C u to approach capacity. 

In summary, we have shown that secrecy capacity can be achieved for certain wire tap channels using codes 
that achieve capacity over the wire tapper's channel. A significant drawback is that capacity-achieving codes are 
essential for guaranteeing the security of the method. Since capacity-achieving codes are not practical in many 
settings, design of practical codes that are secure is an important problem that needs to be addressed. If the resulting 
code is practical and secure, transmission rates below secrecy capacity are certainly acceptable. The remainder of 
this paper is concerned with developing practical codes and protocols for wire tap channels. In some simple settings, 
practical methods that achieve secrecy capacity are given. 

III. Code Design for the Wire Tap channel 

In this section, we study the design and use of linear codes over a wire tap channel. We use a method that was 
first introduced and studied by Wyner and Ozarow [2], [9] for two specific cases. We have extended Wyner's study 
by considering other wire tap channels. We have also provided better, implementable codes for the cases studied 
by Wyner. 

A. Coding method 

We consider a coding method similar to Fig. [2] but with linear codes and cosets. To transmit fc-bit messages, we 
first select a (n, I) linear binary code C such that k < n — l. Out of the 2 n ~ l cosets of C, we choose 2 k cosets and 
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let each message correspond to a chosen coset. The selection of the cosets is done in a linear fashion. Suppose G 
is a generator matrix for C with rows gi, g 2 , • ••, and g;. We select fc linearly independent vectors hi, h 2 , 
and hfc from {0, 1}" \ C. The coset corresponding to a fc-bit message s = [s-y s 2 • • ■ Sfc] is determined as follows: 



sihi + s 2 h 2 



s fc h fc + C. 



(6) 



Though the above correspondence is deterministic, the encoding procedure has a random component in the selection 
of the transmitted word. A fc-bit message s is encoded into a n-bit word randomly selected from the coset of C 
corresponding to s. Hence, the transmitted word, x, is given by 

x = sihi + s 2 h 2 H h Sfehfc + uigi + u 2 g 2 H h vigi, 

where v = [v\ w 2 ■ • • v{\ is an uniformly random Z-bit vector. The overall encoding operation can be described as a 
matrix multiplication. Let G* be the fc x n matrix with rows hi, h 2 , • • •, and h&. Then, 

G* 



[sv] 



G 



Hence, x belongs to the code C with generator matrix 



G 



G* 
G 



The goal of both the legitimate receiver and the eavesdropper is to determine s from their respective received 
vectors. Restating the conditions of Section Hl-BI the design of the codes C and C should be such that (1) s can be 
determined without error across the main channel, and (2) every s is equally likely across the wiretapper's channel. 

Guided by the results of the previous sections, we could choose C as a capacity-achieving code over the 
wiretapper's channel. However, designing a code C that can be decoded across the main channel is still a challenge. 
Moreover, capacity-achieving codes have not yet been demonstrated in practice for many channels. In the following 
sections, we look at some design approaches for some simple wire tap channels. The encoding method and notation 
will remain the same for all cases. 



IV. Noiseless main channel and Erasure wiretapper's channel 

We begin with the simplest possible wire tap channel with a binary erasure channel (BEC) as the wiretapper's 
channel and a noiseless main channel. This scenario is shown in Fig. [3] In Fig. [3] the wiretapper's channel has 
been denoted BEC(1 — e) i.e. the probability of erasure in the wiretapper's channel is 1 — e. The probability that a 
bit is leaked to the wiretapper is e. This notation has been chosen for future convenience. We will denote the wire 
tap channel of Fig. [3] as EWT(e). Using ([3]), we see that the secrecy capacity of an EWT(e) is 

C s = 1 - Capacity (BEC (1 - e)) = 1 - (1 - (1 - e)) = 1 - e. (7) 

The coding method across an EWT(e) is illustrated in Fig. [4] In the figure, S is the random variable denoting 
the fc-bit message to be transmitted. The code C is chosen to be an (n, n — fc) code, and the code C is chosen to 
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Fig. 3. Wire tap channel denoted EWT(e). 
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Fig. 4. Coding method. 



be the entire vector space {0, 1}". The transmitted n-tuple is denoted by the random variable X = [X\ X 2 ■ ■ ■ X n ]. 
Note that the message S can be seen as a syndrome of C with respect to a carefully constructed kxn parity-check 
matrix H. Since the channel between Alice and Bob is error-free, Bob finds the message as follows: S = HX. T 
(mod 2). The secret information rate is R = k/n. From (0, we see that for secure transmission, 

R = k/n<l- e. (8) 

Assuming that all messages are equally likely, we have Xi = or Xi = 1 with probability 1/2 each. The 
eavesdropper learns X^ with probability e. That is, the random variable Z = [Zi Z 2 ■ ■ ■ Z n ] is such that Zi = Xi 
with probability e, and Zi =? (unknown or erasure) with probability 1 — e. 

A. Security Criterion 

To develop a security criterion for the choice of C, we calculate the eavesdropper's uncertainty H(S\Z) by 
first evaluating H(S\Z = z). Note that the eavesdropper is given complete knowledge of the code C and infinite 
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computational power. The main source of uncertainty is the uniformly random selection of the transmitted word X 
from the coset of C corresponding to the message S. 

If a coset of C contains at least one vector that agrees with z e {0,1, ?}" in the unerased positions, we say that 
the coset is consistent with z. Each consistent coset corresponds to a possible message for the eavesdropper. Let v 
be a vector consistent with z in the coset v + C. Let S be the set of all vectors in v + C consistent with z. Then, 
v + S is the set of all vectors in C with zeros in the positions revealed in z. That is, 

v I S = {u £ C : Ui = whenever zi 7^?}. 

Since 15*1 = |v + S\, the number of vectors consistent with z in each consistent coset is a constant equal to the size 
of the set on the RHS above. 

Let N(C, z) denote the total number of cosets of C consistent with z. Since each message is equally likely a 
priori, we get 

H(S|Z = z)=log 2 iV(C, Z ). (9) 

For an (n, n — k) code C, the maximum possible value for N(C, z) is the total number of cosets 2 k . If N(C, z) = 
2 k , we say that z is secured by C since the eavesdropper's Prob{S = s|Z = z} = l/2 fe for every possible message 
s. The following theorem (adapted from [9, Lemma 3]) states a condition for a vector z to be secured by a code 
C. 

Theorem 2 (Ozarow, Wyner '84): Let an (n, n — k) code C have a generator matrix G = [&i ■ ■ ■ a„], where 
is the i-th column of G. Consider an instance of the eavesdropper's observation z £ {0, 1, ?}" with fj, unerased 
positions given by {i : Zj 7^?} = • • • , z is secured by C iff the matrix G M = [a^a^ • ■ • a* ] has rank 

/'• 

Proof: If G^ has rank /1, the code C has all 2 M possible /i-tuples in the /i unerased positions. So each coset 
of C also has all 2 M possible /i-tuples in the /i revealed positions. So N(C,z) = 2 k . 

If G^ has rank less than \x, the code C does not have all /i-tuples in the \i unerased positions. So there exists at 
least one coset that does not contain a given /i-tuple in the \x unerased positions, and N(C, z) < 2 k . ■ 
If a random vector obtained over a BEC(1 — e) is secured with probability close to one by an (n, n — k) code C, 
rate k/n is achievable with secrecy over an EWT(e). 

B. Using duals of codes on graphs 

We now study the use of the threshold property of codes on graphs for providing security over an erasure wire 
tap channel. We illustrate the method using Low-Density Parity-Check (LDPC) codes. The extension to other codes 
on graphs is shown in examples. 

Consider a bipartite graph ensemble C n (X,p) with n left nodes and left and right edge degree distribution 
polynomials X(x) = 2~2i>i Aii 1-1 and p(x) = 2~2i>i Pi x%1 > respectively [14]. The coefficients Xi (respectively, 
Pi) denotes the probability that a randomly chosen edge in the Tanner graph of the code is incident on a variable 
(respectively, check) node of degree i. The adjacency matrix of a graph from the ensemble provides the parity-check 
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matrix of a low-density parity-check (LDPC) code. Let the threshold for C"(A, p) over the binary erasure channel 
be a*(X,p). The threshold property has the following straight-forward interpretation: 

Theorem 3: Let M be a parity-check matrix of an LDPC code from the ensemble C n (A, p). A submatrix formed 
by selecting columns of M independently with probability a will have full column rank for a < a* (A, p) for large 
k with high probability. 

Theorem [3] enables the use of duals of LDPC codes as the code C over an EWT(e) as shown in Fig. [4] We let 
a matrix M from the ensemble C" (X,p) to be the generator matrix for C. By Theorem [3j the columns of the 
matrix M corresponding to the leaked bits over a BEC(1 — e) will have full rank with high probability whenever 
e < a* (A, p). Note that the probability that a bit is leaked across a BEC(1 — e) is equal to e. In combination with 
Theorem [2] we see that the code C with generator matrix M provides complete security with probability tending 
to one for large block-length over an EWT(e) with e < a* (A, p). 

Example 1: The C n (x 2 ,x 5 ) ensemble of (3, 6) -regular LDPC codes has threshold a*(x 2 ,x 5 ) « 0.42. Let M 
be an adjacency matrix from the ensemble with large n (say, n > 10 5 ). M is an n/2 x n binary matrix with row 
weight 3 and column weight 6. The (n, n/2) code C with generator matrix M can be used over an EWT(e) for 
e < 0.42 with secrecy. The information rate between the honest parties in this case is R — 0.5 compared to the 
upper bound of 1 — e = 0.58 (from ®). (In practice, the value of e could be reasonably lesser than 0.42 for added 
security.) 

The above argument can be extended to other ensembles of codes on graphs that have capacity-achieving 
thresholds over the binary erasure channel. We illustrate the method with the following example. 

Example 2 (Tornado codes): A rate-2/3 tornado code ensemble with threshold 8 = 0.33257 has been reported 
in [15]. A parity-check matrix M for a code from the ensemble will have dimensions ?i/3 x n. The (n, n — 2/3n) 
code C with generator matrix M can be used over an EWT(e) for e < 0.33257 with secrecy. The information rate 
between the honest parties in this case is R = 2/3 = 0.66666... compared to the upper bound of 1 — e = 0.66743. 
Similar examples using the other classes of capacity-approaching ensembles can be constructed. Hence over an 
erasure wire-tap channel with wire-tap probability e, secure information transmission rates tending to the upper 
bound of 1 — e are achievable using duals of codes on graphs that approach capacity over the binary erasure 
channel. 

Note that the code C has properties that are opposite to the requirements of Section lTl-BI While we had proposed 
to use a code that is capacity-achieving over the wiretapper's channel in Section III-BI we have used the dual of 
a capacity-achieving code when the wiretapper's channel is a BEC. In fact, using the dual appears to be a more 
powerful method since security does not depend on capacity-achieving codes. This observation agrees with the 
results of [9], and both possibilities are worth exploring in other wire tap channels. 
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Fig. 5. The encoding procedure 



V. Efficiently Decodable Secrecy codes for noiseless main channel and erasure wiretap 

CHANNEL SYSTEMS 

The main advantage of using LDPC codes for error correction over regular erasure channels is that the decoding 
algorithm is of linear complexity in blocklength [14]. This property can be extended to the use of LDPC codes 
over the erasure wire tap channels as well. We now discuss designing linear-time decodable secrecy codes for the 
system shown in Fig. [3] where the main channel is noiseless and the wiretap channel is a BEC. 

In the previous section, we showed how to use dual codes of LDPC codes to construct secrecy codes for this 
system. The cosets of a dual code of an LDPC code are used to send secret messages. Let C be an LDPC code. 
Let G be the generator matrix of C (i.e. the parity check matrix of C), and H be the parity check matrix of C 1 - 
(i.e. the generator matrix of C). G is a sparse matrix since C is an LDPC code. As we discussed in the previous 
sections, a coset of C is indexed by a secret message S and the transmitted word X is a randomly chosen word 
from that coset. Let C have rate r, and let G* be the matrix containing the rest of the independent vectors in 
{0, 1}™ (as in Section UlI-Al i. In Fig. [3] we show the matrices G and G*, and the method for encoding an w-bit 
secret message. The bits {si}™ 1 " are the secret bits, and the bits {v;}™^ 1 r ' are chosen at random, {cc;}™ are the 
transmitted bits. We refer to the secret bits, random bits and transmitted bits as s-bits, u-bits and x-bits, respectively. 

We now consider the decoding problem for Bob. Suppose G has rows gi, g2, • ••, and g n (i_ r ). We select nr 
linearly independent rows hi, h.2, • • • , and h nr from {0, 1}" \ C. Let G* be the matrix with rows as hi, h.2, • • • , 
and h nr . Let the matrix [G* T , G T ] be defined as, 

[G* , G T ] = [hj , , • • • , h^ r , gf , g2 , • • • , g^(i_ r )]- 

Let W be defined as W = [S,V] T , where S is the secret message, and V is a random vector. The transmitted 
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word X T is now given by, 

X T = [G* T ,G T ]W. (10) 

The decoding problem for Bob is to determine W (or just S) from ( TlOb ; this can be easily seen to be a 0(n 2 ) 
operation. 

We defined H to be a parity check matrix of the code C 1 - above. An equivalent way of finding S is for Bob 
to compute the syndrome H~K T . For a suitable choice of H, one could have S = HX. T . However, since H is a 
dense matrix (in general), the complexity of this decoding is also likely to be 0(n 2 ). 

We now ask the following question. Is it possible to achieve linear or almost-linear decoding complexity for Bob 
by carefully choosing a subset of the set of all the cosets of G? In other words, can we sacrifice some secrecy rate 
to achieve linear or almost-linear decoding complexity for Bob? As we will discuss later, our approach will be to 
make some of the elements of S always equal to zero. This will decrease our secrecy rate, but we will show that 
almost-linear or linear time decoding becomes possible in that case. 

We first show that the decoding problem in (ITOb is similar to the problem of systematic encoding of linear block 
codes. Let a linear block code have parity check matrix H, where H = [Hi, H2]. Let the transmitted codeword be 
c = [m T , p T ] T , where m is the message and p is the parity part. Hence, to find p, the encoder has to solve 

-H 1 m = H 2 p. (11) 

Equation ( TTOt is similar to (fTTb if we let X T = -Him, H 2 = [G* T , G T ], and W = p. In [14], the authors have 
shown how to efficiently solve (fTTT > for LDPC codes. As in [14], our approach will be to multiply ([Tot by a matrix 
Q to get 

QX T = Q[G* T ,G T ]W. (12) 

To make the operation of finding W from the above equation 0(n), we need to have the matrix Q[G* T , G T ] in a 
special form, and we need to ensure that QX T is a 0(n) operation. 

A. Choosing a subset of the set of cosets 

Let Gi be a sparse, full row-rank matrix whose rows form a the set of linearly independent vectors in the 
row-space of G*. Let G\ have dimensions n(r — t) x n. We show this in Fig. [6] Let P be the matrix whose rows 
are the rest of the independent vectors in {0, 1}™. Let H* be defined as shown in the figure, and let H* be the 
parity check matrix of an LDPC code G*. H* has dimensions n(l — t) x n. Hence, G* has rate t. It can be seen 
that, if G corresponds to a Tanner graph with degree distribution pair (X G ,p G ), an d Gi corresponds to a Tanner 
graph with degree distribution pair (X Gl , p Gl ), then H* corresponds to a Tanner graph with degree distribution pair 
(Xh*,Ph*), where 

\h*(x) 1 



Jo X h * (x)dx X G (x)dx J Q X Gl (x)dx 



A G (x) / X Gl (x)dx + X Gl (x) / X G (x)dx), (13) 
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Xl 
X2 



Fig. 6. Choosing a subset of the set of cosets 



and 



p H * (x) 



Jo x o(x)dx 



-PGt(x) 



Jo A Gi (x)dx 



-Pg{x). 



(14) 



J Q X G (x)dx + J Q X Gl (x)dx J Q X G (x)dx + J Q X Gl (x)dx 

See Appendix HI1 for a proof of the above relations. We restrict the transmitted word X to be a linear combination 
of the rows in only G and G\, i.e. all the vectors in P are multiplied by zero. The secrecy code rate now falls to 
r — t. It is important to note that this new secrecy code will have the same security properties as the original code, 
since only the matrix G determines the security properties of the secrecy code. 

1 ) Forming the matrix H\: Let the code C* have erasure threshold (3 under the standard iterative erasure-decoding 
algorithm. Hence, any submatrix formed using a set of n(3 columns of the n x n matrix in Fig. [6] (i.e. including G, 
Gi and P) will have full column rank (asymptotically). By performing some row and column permutations in G, 
Gi and P, we can get an approximately upper triangular form in H*. Note that, after row and column permutations, 
we need to rearrange the u-bits, s-bits and the a; -bits. To keep the notation simple we will still call the first n(l — r) 
bits w-bits and the next n{r — t) bits as s-bits with the understanding that Bob now will possibly have to find some 
or all of the bits in not only S, but also in V. After the row and column permutations we continue to call the 
matrices G, G\ and P by the same names. 

Now, consider Fig. [7] The matrix Hi is obtained by retaining the n/3 columns in the approximate upper triangular 
form and by choosing n(l —t — j3) other columns in such a way that Hi has full column rank in the column-space 
of G and G±, Thus, Hi will have full column rank in the full n x n matrix (G, G±, and P) as well. 

2) Forming the matrix H: In Fig. [8] we show the matrix H, which is obtained by rotating the matrix Hi in 
Fig. [7] by 90 degrees clockwise. The equation (shown in Fig. O 



H[s n ( r _t) ■ ■ ■ Si V n (l-r) ■ ■ ■ Vl] T = [Xl X 2 --- £„(i_ t )] J 



February 1, 2008 



DRAFT 



14 




Fig. 7. The matrix H\ 




Fig. 8. The matrix H 



needs to be solved to find the s-bits and the u-bits. Note that we have retained only n(l — t) bits in X on the RHS 
in Fig. |8] Since H has full row rank (because H\ in the previous section had full column rank), n(l — t) x-bits are 
enough to solve for the w-bits and the s-bits. We denote this new vector on the RHS in Fig. [8]as X* T . We remark 
that the matrix H is neither the generator matrix of the code C nor the parity check matrix of C . 

We will now basically follow the steps described in [14] for efficiently solving the equation in Fig. [8] The matrix 
H can be divided into matrices B, T, D and E as in [14] (the matrices called A and C in [14] are not necessary 
in our solution) with dimensions nf3 x — t — /?), n/3 x n(3, n(l —t — 0) x n(l —t — /3) and n(l —t — 0) x n/3, 
respectively. T is a lower triangular matrix. 
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n/3 n(l-t-/3) 



Fig. 9. The matrix Q 
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n(l - t-fi) 



n(l-t-p) 




Er _i B+D 



S„(r-t) 



Si 

v n(l-r) 



2/1 

2/2 



J/n(l-t) 



Y vector 



Fig. 10. The vector Y 



3) Multiplying by the matrix Q: As in [14], we multiply both sides in Fig. [8] by the matrix Q shown in Fig. 
[9] The result is shown in Fig. [10] The result of the multiplication of the matrix Q with the matrix H can be 
precomputed before the actual decoding begins. We now study the matrix-vector multiplication Y = QX* T . We 
need to show that this multiplication is 0(n) since we need to do this operation for every received X. 

In Fig. [TT] we have shown the splitting of the vectors X* and Y into vectors X*, Xj and Yi, Yj, respectively. 
The vectors Xf and Yi have dimension 1 x n/3, while vectors XJ$ and Y2 have dimensions 1 x n(l — t — 0). From 
Fig. [TTj the vectors Yi and X* are equal. Hence, Yi can be computed in linear time. Now 

Yj = ET^Xf + Xf. 

Clearly, T _1 X^ T can be computed using back-substitution in 0(n) time, and the multiplication of this result with 
E and the addition with X*2 T are also linear time. Hence, the computation of Y from Q and X* is 0(n). 

4) Solving for vectors S and V: We now turn to Fig. [10] Let the first n(l — t — (3) elements of the vector 
[s n t r -t) ■ ' • Si v n (i-r) ■ ■■Vi] in the LHS in Fig. [I0]be denoted by Ui, and the next n(3 elements be denoted by 
U2 as shown in Fig. [12] To compute S and V, we now need to solve for Ui and U2 using 
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Fig. 11. The multiplication of Q and X* 
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Fig. 12. Solving for Ui and U2 



BUj + TU 2 T = Yi T , and (15) 
(ET- 1 B + D)Ui r = Y 2 T , 
where Yi and Y 2 are as defined before (in Fig. [TTJ. Solving the second equation first, we get 

Ui = {ET~ l B + D)- l Y 2 . 

Though the inverse can be precomputed, the multiplication is not 0(n) (in general), since (ET~ 1 B + D)^ 1 is not 
sparse anymore. The complexity of this multiplication is 0((1 — t — (3) 2 n 2 ). However, if /? = 1 — t, the vector Ui 
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is empty and does not have to be computed. From ( IT5| >. 

TU 2 = Y1+SU1. 

Since B is a sparse matrix, BXJi can be computed in linear time, and then U2 can be solved in 0(n) time by 
back-substitution, since T is a sparse lower triangular matrix. 

If j3 = 1 — t the complexity of the entire decoding operation reduces to 0(n). Hence, if the code C* is a 
capacity-achieving erasure-correcting code, then linear time decoding is possible. As we will discuss in the next 
section, this is a sufficient condition but not necessary. We now conclude this section with an example of a secrecy 
code decoded using the method described in this section. 

Example 3: Let C be a (3, 6)-regular LDPC code with block-length n. Let G be the sparse parity check matrix of 
C (i.e. the generator matrix of C ). The rate of C is r = 1/2. The matrix G\ is chosen to be the parity check matrix 
of a (2, 6)-regular LDPC code. Then the code C* is an LDPC code with all variable nodes having degree 5 and all 
check nodes having degree 6. The rate of C* is t = 1/6. The LDPC code C has an erasure threshold a w 0.42. 
The code C* has an erasure threshold (3 « 0.55. Thus, the secrecy rate is r — t = 1/3, and 1 — t — (3 m 0.283. 
The decoding complexity is 0(n 2 ) because of a multiplication in the decoder by a 0.283n x 0.283n non-sparse 
matrix; however, this multiplication is still less complex than a direct decoder that would require a n X n non-sparse 
matrix multiplication. The transmitted message is secure across the wiretap channel having erasure probability at 
least (1 - a) = 0.58. 

B. Linear time decodable secrecy codes 

We now discuss linear-time decodable secrecy codes. As we saw in the previous sections, a sufficient condition 
for the secrecy code to be linear-time decodable is that the code C* in Fig. [6] (with parity check matrix H*) should 
be a capacity achieving code on a binary erasure channel so that the row gap in H* (i.e. (1 — t — (3)) is zero. The 
authors in [14] have shown that the row gap can also be calculated using the erasure threshold of the transpose 
of the parity check matrix (H*). The transpose of H* does not correspond to a non-zero rate code. Nevertheless, 
the greedy algorithm that is used to get approximate triangulation in H* can also be thought to be the standard 
iterative erasure decoding algorithm operating on the transpose of H*. Let H* have degree distribution (A#» , pw ), 
where A#« and pa* correspond to the variable and the check nodes, respectively. Then, the transpose of H* will 
have a degree distribution (ph* , Ajj«). In [14], it is shown that the row gap obtained is then (1 — t — 8), where 
5 is the erasure threshold of the degree distribution pair (ph*, ^h*)- It turns out that, many of the known degree 
distributions of good LDPC error correcting codes actually allow linear time encoding (i.e. (1 — t — S) is zero). 

In the following example, we will use this idea to construct a secrecy code that allows linear-time decoding (and 
encoding since G, G\ in Fig. [6] are sparse anyway). Since some matrices in our example have a few degree-zero 
variable nodes, we will use node-based degree distributions as opposed to the typical edge-based degree distribution. 
Given an edge-based degree distribution (X(x), p(x)), let v(x) denote the node-based degree distribution of the 
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variable nodes. The coefficient of x % in v(x), denoted u,, is the fraction of variable nodes with degree i. Clearly, 

J X(x)dx 

v(x) = — . (16) 

Jo x(x)dx 

Example 4: We refer to Fig. [6] for this example. Let the code C (with parity check matrix G) have degree 
distributions (Xq, Pg), where Xq(x) = 0.6087x + 0. 3913a; 2 , and pc{ x ) = x& ■ Thus, the variable degree distribution, 
vg(x) = 0.7x 2 + 0.3a; 3 . Let the matrix G\ correspond to the parity check matrix of a code with degree distributions 
{vGnPd), where vg^x) — 0.7 + 0.3a;, and Pdix) = x 6 . Hence, the degree distributions of H* is (Xh* , pu*), 
where X H > (x) = 0.3769a; + 0.4846a; 2 + 0.1385a; 3 , and p H * (x) = x 6 (using (O and (O). The rate of the secrecy 
code then is r(Xa, Pg) — t{vh* , Ph* ) = 0.0429, where r denotes the rate of the corresponding LDPC code. Hence, 
our secrecy rate has dropped to 0.0429 from 1 — (1 — r(Xc, Pg)) = 0.6714. The erasure threshold of C turns out to 
be 0.2625. Hence this code is secure on a wiretap channel with erasure probability at least (1 — 0.2625) = 0.7375 
(i.e. secrecy capacity is 0.7375). This secrecy code is linear time decodable. 

VI. Erasure main channel and Erasure wiretapper's channel 

In this section, we consider wire tap systems where both the wire tap channel and the main channel are binary 
erasure channels (BEC). Though our results apply with a small modification to systems with DMCs other than the 
BEC as the main channel, we restrict ourselves to the BEC case for ease of explanation. 

With a BEC as the main channel, the wire tap system is as shown in Figure [13] The wiretapper's channel is a 
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Fig. 13. The BEC wire tap system 



BEC with erasure probability e w , and the main channel is another BEC with erasure probability e m . According to 
(O, the secrecy capacity of this system is C s = e w — e m , which is positive whenever e w > e rn . 

A. Using duals of codes on graphs 

As in the noiseless main channel case, we consider using the dual of an LDPC code as the code C for encoding. 
Using Theorem |3] security across the wiretapper's channel can be related to the threshold a of the LDPC code C 
over erasure channels. Specifically, if 1 — e w < a, security is guaranteed with high probability. 
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We now turn to the probability of error on the main channel. Suppose we could design the matrix G* such that 
the overall code C still belongs to an LDPC ensemble with threshold (3 over erasure channels. Bob can decode x 
(and hence the message s) with asymptotically zero probability of error whenever e m < (3. 

In summary, the requirement on the LDPC code C is that it should contain C, the dual of another LDPC code 
C . Since the dual of an LDPC code is likely to have a significantly high number of low-weight codewords, the 
requirement appears to be contrary to intuition. A very similar code design problem arises in the construction of 
quantum error-correcting codes using sparse graphs [16]. After studying several constructions, the authors of [16] 
conclude that such codes are difficult to construct and are unlikely to have high thresholds. 

B. Using capacity-achieving codes 

We now consider a coding method that will eventually depend on capacity-achieving codes for complete security. 
We first pick an LDPC code Ci of length n from an ensemble of codes having asymptotic erasure threshold e w . 
That means, as n — > oo, C\ recovers all the erasures on an erasure channel with erasure probability up to at least 
e w using the standard iterative erasure decoding algorithm. Let the rate of C\ be r\, and let H\ be the parity check 
matrix of the code C\. Next we select n(l — r 2 ) independent vectors from the dual space of Ci, where n < r 2 . 
The selection is such that the n(l — r 2 ) X n matrix H2 formed by these vectors as rows is from an LDPC ensemble 
with erasure threshold e m . Let H2 be the matrix whose rows are the rest of the independent vectors in the dual 
space of C\. As we will see shortly, we must have e w > (1 — r 2 ) in order to guarantee some equivocation for Eve. 
Let C 2 be the code with parity check matrix H2. From capacity considerations, we have 

1 - r 2 > e TO , and 

1 - ri > e w . 

In our examples, we will construct H2 by picking n(l — r 2 ) rows of Hi, and the rest of the rows will be in H 2 . 
Let H2 correspond to a Tanner graph with degree distribution pair (A 2 ,p 2 ), and let H2 correspond to a Tanner 
graph with degree distribution pair (A 2 ,p 2 ). Using (fT3l l and (TPfl i. we see that Hi corresponds to a Tanner graph 
with degree distribution pair (Ai, pi), where 

TT~7~TT" = f i, ; ..L. - (a 2 (z) / M*)dx+M*) I ^)dx) , (17) 
J Ai(a;jaa; J Q \2{x)ax J Q A 2 (x)ax V J J J 

and 1 - 1 

,^ Jo Hx)dx J \ 2 {x)dx _ 

Pi(x) = — y= P2\x) H 1 — P2\X)- (18) 

J \ 2 {x)dx + / \2{x)dx J \ 2 {x)dx + J Q X 2 (x)dx 

We have to choose (Ai, pi) and (A 2 , p 2 ) in such a way that for all i, X 2 i and ~p 2 i are non-negative. 

1) Encoding procedure: We now discuss the encoding procedure, which is a little different from the encoding 
procedure for a noiseless main channel. Here, Alice starts with a n(r 2 — ri)-bit message vector S, and forms a 
n(l — ri)-bit vector [0 • • • S] by prefixing n(l — r 2 ) 0's to S. She now chooses, for transmission, a vector X at 
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Fig. 14. The encoding procedure 




Fig. 15. The encoding space 



random from the solution set of the equation 

X T = [0---0S*] T . (19) 

We illustrate this encoding procedure in Fig. [14] The number of solutions to the equation H2^ T — is 
2 n-n(i-r a ) = 2 ™x p or a particular choice of S = Si, the number of solutions to (19} is 2 n - n( - 1 - r ^ = 2 nr K 
In addition, the solution sets of ( fT9l for different values of S are disjoint as shown in Fig. Q3] Therefore, the 
solution space of the equation i?2X T = splits into = 2"^' 2_ri ^ disjoint subsets, each corresponding to a 
different value of S. Hence, the rate of the secrecy code is (r 2 — ri). An interesting observation in the encoding 
process is that we are not using the entire space {0, 1}" as in the previous sections where the main channel was 
noiseless. 
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2) Equivocation across the wire tap channel: In this section, we calculate the equivocation for Eve. Since Eve's 
channel is a BEC with erasure probability e w , with probability tending to 1, Eve will have ne w erasures as n — > oo. 
If we have e w > (1 — r 2 ), using i7 2 X T = 0, Eve must have at least 2™( e " J_ ( 1_r2 ^ solutions for X, all of which 
are equally likely. All these solutions will differ from each other in the erased positions. Since e w is the erasure 
threshold of the code having Hi as the parity-check matrix, any submatrix formed using ne w columns of H\ will 
have full column rank [14]. Thus every solution of i7 2 X T = will result in a different value of S, all of which 
are equally likely. The equivocation for Eve is then A = n(e w — (1 — r 2 )). If Hi is the parity-check matrix of a 
capacity-achieving code on an erasure channel with erasure probability e w , A = n(r 2 — r±), and the message will 
be completely secure from Eve. Clearly, if the erasure probability of Eve's channel goes up, Eve will still have at 
least this much equivocation. 

3) Probability of error on the main channel: When Bob receives a vector Y, he first decodes it by using the 
standard iterative erasure decoding technique for LDPC codes on the Tanner graph of the code C 2 ■ Let the erasure 
probability of the main channel be at most e m . Then, as n — > 00, with probability tending to 1 he will be able to 
recover the transmitted word X. Bob then can find out the product _ff 2 X T , which is his estimate of the message S. 

We now illustrate the codes involved in this coding method with an example. 

Example 5: Let C 2 be a (3, 6) -regular LDPC code with block-length n. Hence, A 2 (2;) = x 2 and P2(x) = x 5 . 
C 2 has rate r 2 = 1/2. The code C\ is chosen to be another LDPC code with all variable nodes having degree 5 
and all check nodes having degree 6. Hence, \\{x) = x A and pi(x) = x 5 . Ci has rate ri = 1/6. It can be seen 
from ( fT7b and (fl~8T > that, A 2 (x) = x and p 2 ( x ) = x ^ ■ The LDPC code C 2 has an erasure threshold a* ps 0.42. 
The code C\ has an erasure threshold (3* « 0.55. Thus, the secrecy rate is r 2 — r\ = 1/3, and an equivocation 
of n((3* — (1 — r 2 )) = 0.05n is guaranteed across the wiretap channel having erasure probability greater than 
(3* = 0.55. Bob can decode the message with asymptotically zero probability of error on the main channel having 
erasure probability at most a* ~ 0.42. 

The example above illustrates the main drawback of this coding method. Unless the code C\ is capacity-achieving 
((3* = 1 — ri), the coding method is not secure even for large n. Note that the equivocation could be reduced 
further by a better choice of C\, but the equivocation will go to zero only for capacity-achieving codes. 

C. Remarks 

We have shown that codes on graphs provide secrecy in erasure wire tap channels with maximum possible 
secure information rate. The codes are efficiently implementable in practice. However, if the main channel is 
not noiseless, secrecy by forward coding alone appears to require capacity-achieving codes that are difficult to 
construct. Alternative models of wire tap channels with parallel error-free public channels are presumably better 
for constructing implementable secrecy codes when the main channel is noisy. 
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VII. Noiseless main channel and BSC wiretapper's channel 



In this section, we consider a special case of a wire tap channel, where the eavesdropper sees a binary symmetric 
channel (BSC) with error probability p, denoted BSC(p). The main channel is error free. Using OJ, we see that 



1 - Capacity (BSC (p)) =!-(!- h{p)) = h(p), 



(20) 



where h(x) = —x log 2 x — (1 — x ) log 2 (l — x), < x < 1. 
The wire tap channel and the encoding is shown in Fig. | 



The method of coding is illustrated with the same 
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Fig. 16. Coding for a BSC wiretapper's channel. 

notation as Section Hill 

A. Security across a BSC wiretapper's channel 

We let C be an (n,n — k) code and C be the entire space {0, 1}™. For an arbitrary fc-bit message S = s, the 
transmitted word X e sG* + C. Since the cosets of C cover the entire space of n-tuples, Eve's received vector Z 
belongs to some coset of C, say uG* + C. If e denotes the error vector introduced by the BSC(p) in the wiretap, 
we have for 1 < i < 2 k , 

Prob{Z e uG* + C|S = s} = Prob{e E (u + s)G* + C} = Prob{e € w + C} for some n-tuple w. (21) 

We can now state the criterion for selecting the code C to guarantee security of the message S: we choose C such 
that for any ?i-tuple w, we have 

Prob{e e w + C} -> 2" fe , as n -> oo. (22) 

Using the above condition in d2Tb . we see that Eve is equally likely to find Z in any coset of C given any 
message S = s. Assuming all S = s are equally likely a priori, Prob{Z £ uG* + C} is independent of u; hence, 
Prob{S = s|Z e uG* + C} — * 2~ fc , and security is guaranteed. 

The LHS of ( f22l is the probability of the coset w + C. This probability was first studied by Sullivan [17] 
and further extended by Ancheta [18], [19]. The following results can be extracted from their studies: (1) The 
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requirement of 1221 that the probabilities of a code (w = 0) and a coset (w ^ 0) should be approximately equal 
can be achieved for large block-length. (2) The properties of the dual of a code plays an important role in the 
probability of a coset. We expand on these two results in the next sections to design codes for the BSC wire tap 
channel. 



B. Choosing the code C: Security criterion 

Using the Mac Williams identities [20, Page 127] for the (n,n — k) linear code C, we get 



1 " 

£ *"- wt( V t(e) = ¥ £ 40* + - v)\ (23) 

eeC i=0 

where A[ is the number of codewords of weight i in the dual code C^- Using x = 1 — p, y = p, and A' = 1 in 
123) . we get 

£ P wt(e) (1 ~ p)"~ wt(e) = 2- k + 2- k £ 4(1 - 2 PY- 

eeC i=l 

Using the Mac Williams identities [20, Page 137] for the coset w + C, we get 

n 

£ ^-WtMyWtOO = _ ^ ^ (W)(X + j,)™-^ _ (24) 

eGw+C i=0 

where 

4(w) = Oi(w) - A(w) (25) 

with ojj (w) equal to the number of codewords of weight i in the dual code orthogonal to w, and fa (w) equal 
to the number of codewords of weight i in the dual code not orthogonal to w. Using x = 1 — p, y = p, and 
Aq(w) = 1 in 124b . we get 

n 

e£w+C i=l 

From 125] ), we see that |^(w)| < A\. We now state the main security criterion as a theorem. 
Theorem 4: If 

n 

2^(l-2p) i -»0 > asn-xx, (27) 
t=i 

then Prob{e G w + C} — > 2~ fc for all n-tuples w. 
Proo/- Since |A-(w)| < A\, we get 

n n 

| £ 4(w)(l - 2p)*| <J2 A i0-~ 2 P¥ - °- 

i=l i=l 

Hence, 



£4(w)(l-2p) i H0. 



That implies that the second term in the RHS of (|26l l can be neglected with respect to the first term 2 , and the 
proof is complete. ■ 
The criterion for the selection of C is that the dual C should have a weight distribution that satisfies l27l >. 
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C. Some code constructions 

We provide some examples of codes that satisfy the requirement of d27l i. 

Example 6: (Single parity check codes) The dual of a (n, n — 1,2) single parity check code is the (n, l,n) 
repetition code with weight distribution A' = 1 and A' n = 1, Hence, 

n 

^^(l-2p) i = (l-2p)"^0 

i=i 

as n — > oo. However, the secrecy rate ljn — » for large n. This is an example that was first used by Wyner in [2] 
to motivate coding over a wire tap channel. 

Example 7: (Hamming codes) The weight distribution of the dual of the [n = 2 m — 1, n — m, 3] Hamming code 
7i m is Aq = 1 and -<4( n+1 )/ 2 = ?1 - Hence, 

n 

Y^^ii 1 ~ 2 P)' = n ( l - 2p)(™ +1) / 2 -> 
»=i 

as n — > oo. As in the previous example, the secrecy rate tends to zero for large n. 
The following theorem generalizes the above construction method. 

Theorem 5: Let {C(„)} be a sequence of (n,n — k n ) codes such that Prob {Detection Error} < 2 _fcn over a 
BSC(p), < p < 1/2 and limn^oojfcn/n} < log 2 (l/(l — p)). Let A\ be the number of codewords of weight i in 
the dual code CVK. Then 

(n) 

n 

^ 4(1 - 2p) 1 -> 0, as n -> oo. 

Proof: We are given that for the code C(„) 

Prob{Detection Error} = ^3 P wt(e) (! ~ p)" _wt(e) < 2~ h « . 

eeC (n) ;e^0 

Adding (1 — p) n to both sides and using the Mac Williams identities, we get 

n 

53 P m ^(i^p) n ~ m{ ^ = 2- k - + 2- k *j2 A 'i( 1 - 2 pY ^ i 1 -p) n + 2_fcn ' 

eeC { „) i=l 

or 

n 

534(1 " 2 ^)* ^ 2 fc "(l -p)" = 2"( fe "/"- lo S2(i/(i-p))). 

i=l 

Since limn^oojfcn/n} < log 2 (l/(l — p)) and the LHS above is nonnegative, 

n 

53 4(1 - 2p) ? -> 0, as n -> oo. 

i=l 

■ 

The existence of (n, n — fc„) linear codes with probability of detection error less than 2 _fc ™ i s we ll known [21, 
Section 3.6]. Suppose we find a class of such error detecting codes such that 

R = lim ^. 

n — >oc 77, 
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Then, for large n, the code Ci n \, when used as the code C over a wire tap channel with a BSC(p) as the wiretapper's 
channel, provides security whenever R < — log 2 (l — p), or p > 1 — 2~ R . The maximum possible secrecy rate that 
can be achieved by this construction is therefore — log 2 (l — p). 

Codes such as Hamming codes and double error-correcting BCH codes are examples of such error-detecting 
codes. However, most known classes of such codes have R = 0. 

VIII. Conclusion and Discussion 

In this paper, we have studied the construction of codes that provide security and reliability over a wire tap 
channel. Our general construction uses codes that approach capacity over the wire tapper's channel. We have shown 
that this approach achieves secrecy capacity when the wire tap channel is made of symmetric DMCs. Other cases 
require a closer study. 

A drawback of using capacity-achieving codes is that they are difficult to find and construct except in some 
special cases. One such special case is when the wire tap channel is a binary erasure channel. Hence, codes such as 
optimized Tornado codes can be used across erasure wiretapper's channels as described above. However, we have 
shown that capacity-achieving codes are not necessary in this case. If a code exhibits a threshold behavior across a 
BEC (codes such as regular LDPC codes), its dual can be used effectively over a wire tap channel with a BEC as 
the wiretapper's channel. This result enables the use of codes that can be more easily constructed. Extending the 
connections between codes that exhibit a threshold phenomenon and secrecy over a general DMC is an important 
area of future work. 

When the wiretapper's channel is a BEC and the main channel is noiseless, we have presented codes that approach 
secrecy capacity. To our knowledge these are the first and only such codes. 

For the case where both the main channel and the wiretapper's channel are BECs, we have studied two approaches 
for code design. The optimality and secrecy capacity of the constructions need to be studied and explored. 

For the case where the wiretapper's channel is a BSC(p) and the main channel is noiseless, we have shown 
that codes with good error-detecting properties provide security. The capacity of this construction is — log 2 (l — p), 
which is less than the secrecy capacity h(p). Capacity-approaching codes will probably be graph-based. Use of 
graph-based codes for the BSC wiretapper's channel is a subject for future study. 

Appendix I 
Existence of reliable encoders 

In this section, we determine a random coding bound on the probability of error Prob{U ^ U} in a manner 
following Gallager [22, Section 5.6]. Let x be a vector of n input symbols, y a vector of n main channel output 
symbols, and z a vector of n wire tap channel output symbols. We let the output alphabet of the main channel be 
{1, 2, • • • , J,„} denoting a symbol by j m . The eavesdropper on the wire tap channel is assumed to have unlimited 
power to process the received word z. We let the output alphabet of the wire tap channel be {1, 2, • • • , J w } denoting 
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a symbol by j w . Let T n (y|x) and S n (z\x.) be the transition probabilities for the main channel and wire tap channel, 
respectively. Let T5 n (y, z|x) be the joint distribution. 

We now define a random code ensemble for the coding method of Section III-BI Let Q n (x) be an arbitrary 
probability assignment on the set of length n input sequences. A set of ML words is chosen pairwise independently 
from the set of length n input sequences according to Q n (x). The words are arranged in an M x L array indexed 
by a pair of coordinates u € {1, 2, • • ■ , M} and v G {1, 2, • ■ ■ , L}\ each word is denoted x m , where m — (u, v). 
Each row is considered to be the code C u i.e. C u = {x m > : m! = (v! , v');u' = u}. 

Let us assume that a message u is to be transmitted by Alice. Let us further assume that the word x m with 
m = (u, v) is chosen for transmission from C u . Let y and z be the received vectors for Bob and Eve, respectively. 
We will upper bound the probability of an event E, which captures both the security and reliability constraints. 
The event E is the union of the following two events: 

1) Event A m r. an x m < for m' = (vf, v') ^ m = (u, v) with u ^ u' is chosen in the code such that T„(y|x m ' ) > 
T„(y|x m ). This event captures the reliability requirement. 

2) Event B m r. an x m < for m' — (u,v') ^ m = (u,v) is chosen in the code such that S n (z\x m /) > 5„(z|x m ). 
This event captures the security requirement. 

The probability of E averaged over the ensemble for the m = (u, v)-th word is 



PE, m = ^^^Qn{x m )TS n (y,z\x m )Pr{E\m,x m ,y,z} 

x m y z 

Using a modified union bound, 



(28) 



Pr{£:|m,x m ,y,z} < 
for < pi, p2 < 1. Now, 



E 

u—u' ,v^v' 



Pr{B m >} 



< 



E 



:T„(y|x m ,)>T„(y|x m ) 

T n (y|x)^ 

inWT^l—, Si > 0. 



Similarly, 



Pr{B m /}<EOn( x ) 



T n (y\x m ) s 



Sn(z|x) a ' 

'5„(z|x m ) s 2 



S 2 > 0. 
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Using the simplifications in 



Xm y Z 



X] E E Qn(Xm)TS n (y, z|x,- 



x m y z 



(L-l)^Q n (x) 



(y|x m ) s 

5„(z|x) s 



1 P2 



= (M-1) P1 L P1 ^ 



<S'n( z | x m) S2 

£ Q„(x)T„ (y|x) Sl 



Am 



S2P2 



^ Q n (x)5„(z|x) 



P2 



Using Sj = 1/(1 + pi), we get a version of Theorem 5.6.1 in Gallager [22]. Following Gallager [22, Section 5.6] 
further for the case of discrete memoryless channels, we let 

n 

<9n(x) = JjQ(aJj), 

i=l 

where the input vector x = [x\ x 2 ■ ■ ■ x n ] in terms of its components, and Q(k), k g {1,2,- •• , K} is an 
arbitrary probability assignment on the input alphabet. Similarly, we let T„(y|x) = YVi=i P(Ui\ x i) and S n (z\x) = 
n™=i S(zi\Xi). Converting to exponential relationships, we get 



PE, m < exp{-n[-Bi(/9i,Q) - pxRx}} + cxp{-Ti[E 2 {p2,Q) - P2R2}}, 
where ML = e nRl ; L = e nR2 ; 



Ei(pi,Q) 



E 2 (P2,Q) 



iog( E 



A" 



EQ( fc ) T (>»l fc ) 1/(1+pl) 



,fc=l 

A 



-1 1IP1 



1|P2^ 



and 



^Q(fc)S(i„|^/( I+Pi 



,fc=i 



Note that the secrecy rate of a code from the ensemble is R s = R\ — R2. Using a distribution Pr{m} in 
get 

Pe < cxp{-n[^i( / 9i, Q) - piRi}} + exp{-n[E 2 {p 2 , Q) - P2-R2]}, 
The random coding exponent for the wire tap channel is defined as follows: 

E W (R 2 ) — max max[E 2 (p2, Q) — pzRz]- 

0<P2<1 Q 



(29) 



(30) 



(31) 



, we 



(32) 



(33) 



Let Q2 be the distribution on the input symbols that maximizes the random coding exponent E W (R2). To satisfy 
the security constraint of Section III-C1 we restrict ourselves to ensemble of codes with input symbol distribution 
Q 2 {k). We can now define another random coding exponent for the main channel as follows: 

E m (Ri) = max [E 1 (p 1 ,Q 2 ) -pi-Ri]. 
0<pi <i 



Using the random coding exponents in ( 1321 ). we get the following theorem 
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Theorem 6: For an ensemble of codes using the maximizing distribution Q 2 , 

P~E,m < exp{[-nE m (i?i)]} + exp{[-nE w (R 2 )}}; 
Pe < e^>{[-nE m (R 1 )]} + eiq>{[-nE w (R 2 )}}. 

We know that E W {R 2 ) > for < R2 < C w , where C w is the channel capacity of the wiretapper's channel. 
Hence, Theorem [6] says that there exists a code in a suitable ensemble such that the security constraint can be 
satisfied (each C u can approach capacity on the wire tapper's channel) with arbitrary accuracy by increasing the 
block-length; at the same time, the same code can satisfy the reliability constraint with arbitrary accuracy provided 
the rate R\ is such that E m (Ri) > 0. From the properties of random coding exponents [22, Section 5.6], we see 
that E m (i?i) > if 

S( Jw \k) 



Ri < /(Qa; S) = J2 E Q^)S{j w \k) log ^ 



.i)S(j w \i) 

Hence, the maximum secrecy rate achievable by a code from the ensemble is I(Q 2 ; S) ~ C w . We immediately see 
that for the special case of a wire tap channel considered in ® secrecy capacity is achievable by some code in 
the ensemble. In particular, if both the main channel and wire tapper's channel are symmetric, secrecy capacity is 
achievable. 

Appendix II 

Degree Distribution: Proofs for (fP3l and (IT~4T > 

Let X G (x) = X^Aia;* -1 , p G {x) = X Gl (x) = Ei^af -1 , Pg{x) = Z^pua;* -1 , \ff.(a:) = 

Si A*jX l_1 , (x) = Si P*%x % ~ x . 

Let Ei and E2 be the total number of Is in the matrices G and G\, respectively. From the definition of degree 
distribution, the number of Is in G and G\ from rows of weight i equals piE\ and puE 2 , respectively. Therefore, 
p*i (fraction of Is in H* from rows of weight i) is given by 

p t Ei + puE 2 Ei E 2 

P " = F 1 F = F . F ^ + F I F (34) 

£/l + £/2 -C'l + -^2 ■C'l + ^2 

The number of weight i columns in G and Gi equals — E\ and — ^Eo, respectively. The total number of columns 

1 i 

in G or Gi, n, can be written as 

i i 

Using the above relations in d34l i for Ei and E 2 and replacing J2i ~~ (respectively J2i w i m Jo ^c(x)dx 
(respectively X Gl (x)dx), we get ( TBI . 

To prove dT3b . we use the node-based degree distribution of LDPC ensembles. The coefficient of x l in 

f , n X G (u)du 

J "=° v ; (35) 
Jo ^c{x)dx 
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equals the probability that a randomly chosen column of G has weight i. Similarly, the coefficient of x l in 



equals the probability that a randomly chosen column of G\ has weight i. Note that the polynomials in d35l l and 
(l36l l are generating functions of independent random variables denoting the weight of a randomly chosen column 
in G and G±, respectively. Since the weight of a column of H* equals the sum of the weight of the column in G 
and the weight of the column in G\ and the two weights in G and G\ are independent, we have 
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(36) 




Differentiating the above equation gives dl3l . 
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